The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.
This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.
This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.
This vulnerability, identified as CVE-2011-2371, lies in the Js3250.dll library and Js3250!array_reduceRight function in Mozilla Firefox, and affects versions earlier than 3.6.18, as well as versions 4.0 through 4.0.1. Two proofs-of-concept for this vulnerability were already disclosed publicly earlier this month by Matteo Memelli and metasploit.
We performed some analysis through reverse engineering and tested with the published proof of concept. Through this, we were successfully able to execute arbitrary remote code on Firefox 3.6.16.
Vulnerability Analysis
The following is a sample exploit code:
If the JavaScript shown above is loaded through the JIT engine by Firefox, the js3250!array_reduceRight function will be executed. It will call the js3250!array_extra function after setting ArrayExtraMode as 2.
The address of (obj->dslots[index]) shows a heap sprayed address.
Whenever any vulnerability is found, the first thing that always comes to mind is what we can do to protect users from threats that will make use of that vulnerability. For users, to default call for action during such circumstances is to check if they are affected by the vulnerability, and to patch their system.
However, security updates are not always available immediately. Also, for network administrators, patch management is at times difficult since it requires testing processes to make sure it won’t affect the network in an unfavorable way.
Using a security product that shields networks and systems from threats that leverage on vulnerabilities can help the networks and systems protected before the vulnerabilities are patched. For example, if a network administrator uses Trend Micro Deep Security, then he or she does not need to hurry to apply patch and save times until patch test has been finished.
For this specific vulnerability, users are advised to upgrade their Mozilla Firefox browser to the latest version, and to refrain from accessing untrusted links or opening emails from untrusted senders. Network administrators are also advised to maintain minimal system privilege for users.
Enterprises already using the Trend Micro Deep Security and IDF are already protected from exploits leveraging on this vulnerability, provided that they’ve applied virtual patch that includes the rule 1004722-Mozilla Firefox ‘Array.reduceRight()’ Remote Code Execution, which was released in July 2011.
Leave a reply
